|
||||||||
Sean Waite schrieb: > I am in the process of setting up a second LAN (Wireless) using m0n0wall to bridge them. The first is the regular local LAN, the second > being just an access point to connect to one specific webserver within the first LAN. Why do you use bridging and not a second subnet with nat ? > > I have done two different configs of m0n0wall, one allowing DNS and the other rejecting DNS. Ideally with the secure config we want to > be able to connect to this specific internal webserver only. At the moment we can only access other computers on the first LAN by using > the IP address. Same goes for accessing the internet. I don't understand, why rejecting DNS should be more secure ? > > Any ideas on how I could lock this down some more? One idea I had, since the WAN interface is static, I could set the gateway to use > just the internal website's IP address. But as for blocking the first LAN, I would have to block whatever ports Windows uses for LAN > communication which seems to be kind of difficult to narrow down. > > One option could be to just block all ports above 80, but for some reason that seems a little too restrictive. > > Any ideas or thoughts would be appreciated. may be this a solution: first rule: WLAN to DNS-Server allow second rule: WLAN to M0n0s WLAN-IP block and log next rules: WLAN to Webserver allowed-Ports allow next rule: WLAN to LAN deny all / log (next rules: WLAN to 0.0.0.0 allowed-Ports allow) last rule WLAN to 0.0.0.0 deny all / log bye Christoph > > > Sean Waite > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > -- last words: "let's make the backup tomorrow" |